DETROIT – A more dynamic workforce means the list of people requiring network access changes every day. Employees, contractors and other short-term network users must be provisioned by the IT staff, often using a manual, time-consuming process that does not meet just-in-time business requirements or provide an adequate record for auditing and regulatory compliance.
Manually enabling and disabling network access for temporary users is time-consuming and costly. At the same time, heightened concerns around privacy and compliance, as well as legal and human-resource considerations, are impacting the organization dramatically.
Often the responsibility for implementing safeguards and procedures falls to the IT department. A study by the Computer Security Institute, “2002 CSI/FBI Computer Crime and Security Survey,” shows most attempts to violate network security are performed by people who once had legitimate network access but whose relationship with the company has ended, rather than by people who are completely outside the organization.
The cost and potential security vulnerabilities of de-provisioning a user should not be underestimated. Some network administrators use calendar notes to remind them to disable user accounts at some future date and time. This approach is not reliable and, even with the best of intentions, user accounts can remain active long after the guest user’s legitimate need for network access has ended.
These dormant accounts present a very real risk to the enterprise and can cause a company to fail a security audit. To address these shortcomings, IT has to guarantee that user accounts automatically expire when it decides the user’s network access must end.
Provisioning network access for guests and other short-term network users requires an easy-to-use solution that is more secure and less costly.
An enterprise-class guest services solution should:
Allow guests to access the network from conference rooms,
training areas, labs, lobbies & other public access areas.
Control whether guest users may access the network using various
access methods, including wired, wireless & VPN network access.
Restrict guest-user access to particular subnets or VLANs, or
allow access only to the external Internet.
Support authenticated network access for guest users with &
without 802.1X-enabled devices.
Provide an audit trail for guest-user access consistent with the
audit capabilities required for employees and contractors
Remove the responsibility for guest access provisioning from IT
and reassign it to the party responsible for issuing guest badges, or to the person responsible for scheduling conference rooms.
Provide a provisioning capability for network access with
accounts that automatically self-terminate at a scheduled time & date.
Enable administrative staff to manage guest-user accounts,
bypassing both IT services & helpdesk personnel.
Maintain the guest-provisioning facility independent of the
enterprise directory infrastructure, thereby avoiding hard-to-manage dependencies.
Support easy customization of the administration console &
access zones, as well as allow for easy integration with existing email systems & web application servers.
These steps are the beginning steps to a larger “network identity management” architecture that companies will make a part of their critical IT operating procedures. More on that next time…
This column was written by Caston Thomas of InterWorks Technology “Driving organizations into a mobile world!” You can email Thomas at [email protected] Our you can telephone him at (248) 608-0000 x304.
